Next Talk: Fault Attacks on PCs?!
and without root privileges?!
”On Feasibility and Performance of RowHammer Attack”
Nicolas T. CourtoisVarnavas Papaioannou
University College London, UK
Security of Bitcoin
2
Dr. Nicolas T. Courtois blog.bettercrypto.com
1. cryptologist and codebreaker
2. payment and smart cards (e.g. bank cards, Oyster cards etc…)
Crypto Currencies
3
Crypto Currencies
4
UCL London: COMPGA18 Cryptanalysis
Fault Attacks Courtois et al
5
This Talk:
• Fault Attacks on PCs
Fault Attacks Courtois et al
6
This Talk:
• Fault Attacks on PCs
– [NEW: high performance, avoid root privileges]
boring? technical?
Fault Attacks Courtois et al
7
This Talk:
• Even Earlier: Cold War crypto, DC history etc.
• Earlier historical context: smart cards
• Fault Attacks on PCs
Fault Attacks Courtois et al
8
This Talk:
• Even Earlier: Cold War crypto, DC history etc.
• Earlier historical context: smart cards
• Fault Attacks on PCs
secure against fault attacks!
Code Breakers
Nicolas T. Courtois9
Crypto History
Fault Attacks Courtois et al
10
[Crypto] Fault Attacks [in Cybersecurity]
• Powerful
• Difficult to make [technical difficulty + countermeasures + good security engineering]
CompSec Intro
Nicolas T. Courtois, January 200911
Defense in Depth!
Computer systems have multiple layers, e.g.
– HW components
– Chipset/MB
– Kernel Ring 0
– OS
– UAC
– HTTP sandboxing
– Java script
CompSec Intro
Nicolas T. Courtois, January 200912
Defense in Depth
Computer systems have multiple layers, e.g.
– HW components
– Chipset/MB
– Kernel Ring 0
– OS
– UAC
– HTTP sandboxing
– Java script
Powerful!
Fault Attacks Courtois et al
13
Who Wins?
Attackers or Defenders?
Algebraic Attacks on Stream Ciphers
14
Fault Attacks in Cybersecurity
RNGBlock and Stream Ciphers
Digital Signatures, PK Encryption etc
Exploits
default or easy way
Practical Security Solutions
potentially harder to
perturbate
Fault Attacks Courtois et al
15
DFA =
(Differential Fault Analysis)
Fault Attacks Courtois et al
16
DFA Attacks…
(Differential Fault Analysis)
1. Provoke faults in the device,
2. Deduce the key by detailed mathematical analysis.
Fault Attacks Courtois et al
17
DFA Requirements
One needs to be able to run the same crypto algorithm many times with the same inputs.
The inputs do NOT need to be known.• they usually are, but today we will realistic example when they
aren’t (!) and yet the key is found.
DFA requires
a DETERMINISTIC crypto process with a known output(from which the attacker wants to extract the secret key)
Examples when this happens:
Fault Attacks Courtois et al
18
GSM SIM card Authentication
A3 A3Ki Ki
challenge RANDSIM card
Signed RESponse (SRES)
are = ?
• RUN GSM ALGORITHMExample: A0 88 00 00 10 XX …………….XX
16 bytes random nonce
no L_e, no data in reply expected, result will be visible in the status bytes = 0x9F Le
both 0INSCLA
Fault Attacks Courtois et al
19
In Contrast – 3G USIM Cards
No DFA attack, 2 reasons:
• the base station is authenticated first!
• the SQN should be checked for freshness.
– so the card should never accept to do the same crypto computation twice
Fault Attacks Courtois et al
e-Smart 22/09/201020
In Contrast – MiFare Classic
The reader is authenticated first !
No DFA attack unless card random repeats
tag random 32 bits
tag resp. 32 bits
encr. rdr random + rdr resp. 2x32 bits
card ID 32 bits
Bad RNG and Attacks on Building and Small Payment RFID
Courtois 21
Example: London Oyster Card From 2006
• Min-entropy = 2.8 bits.
• Courtois Dark Side Attack time 22.8 x 10 s = 3 minutes per key extracted from the card [theoretical speed].
•
Fault Attacks Courtois et al
22
In Contrast – Bank CardsAssuming ATC is always incremented => Session Key depends on ATC =>
Impossible to get the same cryptogram twice => DFA is impossible!
64 64
112IMK
Session Key
ATC ATC
? ?
16 16
Fault Attacks Courtois et al
23
Conjecture/Claim: [Courtois@eSmart 2010]
Fault attacks are feasible in practice
only when
the industry uses
BAD PROTOCOLS ?
commercial security=>bad security?
Roadmap
24
Fault Attacks in Practice
on [Unnamed] Smart Cards[Courtois Jackson Ware,
eSmart conference, France, 2010]
Fault Attacks Courtois et al
e-Smart 201025
Lab Work• Voltage glitch applied close to the final round.
• Triggers ATR - defensive behaviour, attack detected.
Fault Attacks Courtois et al
e-Smart 22/09/201026
Glitches in 8th Round
Done 5 consecutive faultswith precise timing and consistent perturbation type:
Roadmap
27
Cold War
Differential Cryptanalysis andFault Attacks
Fault Attacks
28
Eastern German Block Cipher Class Alpha = c.1970
obscure origins…
[full document not avail.]
T-310
Nicolas T. Courtois29
East German SKS V/1 and T-310
240 bits
long-term secret 90 bits only!
“quasi-absolute security” [1973-1990]
Fault Attacks
30
T-310 is SECURE against Fault Attacks
On two accounts:
has a physical RNG=>IV =>cannot do encryption twice
everything is DUPLICATED
Fault Attacks
31
Security Against Fault Attacks: => obligatory in Eastern Bloc Cryptography in 1973!
fault detection logic!
Fault Attacks
32
Differential Cryptanalysis = DC
Wikipedia DC entry says: In 1994 […] IBM […] Coppersmith published a paper stating that DC was known to IBM as early as 1974.
Coppersmith explains: "After discussions with NSA… it was decided that disclosure of the design considerations would reveal the technique of DC, a powerful technique […] would weaken the competitive advantage the U. S. enjoyed over other countries in the field of cryptography.
Rowhammer attacks
33
“Official” History
• Differential Cryptanalysis :Biham-Shamir [1991]
Fault Attacks
34
DC was studied in Eastern Germany in 1973!
Roadmap
35
Fault Attacks on PCs
[this paper]
Rowhammer attacks
36
Rule Nb. 1
Never believe what hackers claim.
=> Most attacks described in current literature do NOT work as claimed or it is hard to make them work
=> Many other require root access. However.if attacker is root => lots of things he can do….
Our work: practical attacks without root privileges, also work in VM, and some of the highest speeds EVER achieved.
Rowhammer attacks
37
Our Goal: Introduce Faults in RAM
Rowhammer attacks
38
RAM cell
Rowhammer attacks
39
Arrays of Capacitors – normal R operation
capacitors lose their charge=>refresh
Rowhammer attacks
40
RowHammer Attack
“double-sided”BlackHat’15
Rowhammer attacks
41
Difficulties
• How to bypass the cache???=>otherwise the data is not read from RAM
• Avoid the row buffer of the target row=>otherwise the data is not read from RAM either!
Rowhammer attacks
42
SBDR – goal to achieve
• Same Bank Different Rows[Dullien Seaborn 2015]
Considered a minimum requirement to launch a RowHammer attack…
just this leads to quite poor attacks… like 5 bit flips in 10 minutes
of course just ONE bit flipped could achieve sth spectacular
recover a valuable Bitcoin private key worth M$...
Rowhammer attacks
43
Cache Avoidance / Data Eviction
Fill the cache with lots of data.
CLFlush instruction, all attacks in our paper need/use it
In user space on Intel processors
ARM in mobile phones are MORE secure!!!!
Rowhammer attacks
44
Obfuscation!
S&P’13 => security by obscurity!• documented by AMD, • secrecy by Intel…• cf. new processors, DDR4, etc.
Rowhammer attacks
45
Beware!
Attacker CAN reverse engineer ±EASILY: cf. our tcrh tool [and S+P’13 and Usenix 2007]
github.com/vp777/Rowhammer
Rowhammer attacks
46
another trick we use:
increase page size
the mapping is “more” transparent to the user…
the offset is the same as the physical offset
cf. our hprh tool=>pages can be up to 1G on Intel! => we use the THP feature or Linux 4K=>2M
github.com/vp777/Rowhammer
Rowhammer attacks
47
THP => incredible boostWe also provide patches to 2 third party
rowhammer attack which add the THP ability!
NEW!
Rowhammer attacks
Comparison of Attack Tools
[4]=Dullien-Seaborn 2015[8]=Gruss-Maurice 2016-17[2]=Tatar, 2016
[13]=our two new software tools: github.com/vp777/Rowhammer
Rowhammer attacks
49
new tools we developed
our hprh tool =
Huge Page RowHammer
our tcrh tool =
Timing Channel RowHammer
github.com/vp777/Rowhammer
Rowhammer attacks
50
Results: #Bits Flipped/ 10 minutes
=> github.com/vp777/Rowhammer
root
NEW!
MODIFIED!